Tarun Wadhwa is a writer, researcher, and entrepreneur working at the intersection of technology and public policy.

You would think that it would be a terrible idea for a company accused of helping teenagers send each other sexually explicit images to feature bikini-clad young girls in their marketing. Most would avoid such direct associations, for good reason – it’s immature, and edgy when it doesn’t need to be.

But not the makers of the enormously popular app, Snapchat, which allows people to send images and videos that “self-destruct” after a few seconds.

The company claims messages are deleted once they are opened, but there have been a series of recent scandals showing that this may not be completely accurate.  Their product is far from perfect, and there are several ways to compromise the protection they offer.  It is never a good idea to send something over the internet that would damage you or your reputation if it became public.  While this may be common sense, it has little to do with how we actually act online.

The makers of Snapchat are right to reject the “sexting app” label — it’s not clear that this is what it is even being used for, and everyone deserves the option to communicate privately when they want, without automatically being branded as a pervert.

Within a few months of launching, the company has made an enormous and lasting impact on the culture of communication on the Internet, and we should all be grateful.

They have simplified a security process enough to the point that anybody can use it, while validating the market of the next generation of privacy-preserving ephemeral communication.  Most importantly, we may finally get a break from the forced permanence of the Facebook and Google world, where everything you do and share is a data point to be monetized and re-sold to the highest bidder.

And Snapchat isn’t even the best product out there — there’s a whole slew of communication tools that are more secure and functional making their way into the public eye.

One of those is Wickr, created by RSA veteran Nico Sell, a more serious security-focused app that uses “military-grade” encryption to send text, video, voice, and document files that can self-destruct after a given period of time.  Hospitals and law enforcement have expressed interest in a similarly functioning Android app, Gryphn.  Although it’s not “self-destructing,” keep an eye on the exciting and powerful suite of communication apps developed by encryption legend Phil Zimmermann’s Silent Circle company – they are not for “average” users, but they could provide enterprise and more serious clients a massive improvement in security.

What apps like these do is allow us a little bit more freedom to be ourselves, for better or worse.

In the copycat world of Silicon Valley startups and funding, expect to see a lot more “Snapchat for _____” type companies.  Finally, the lack of app creativity may work in the favor of consumers.  We have accepted the notion that what you do on the internet is permanent – a statement that is partially a truthful observation, and partially a threatening promise from the companies and entrepreneurs who are making it a reality – but it doesn’t have to be that way for everything.

Perhaps the greatest impact of this rising industry will be when the giants try to co-opt them, as Facebook attempted with Poke.  The issue of trust in these companies aside, it would be a winning situation for everyone for ephemeral features to be built into the services we already use.

We need more human-behavior-friendly default settings.

Privacy is complicated, and nothing is ever completely secure.  Nobody is immune from this, as Nicholas Weaver wrote in Wired, “even the head of the CIA can’t email his mistress without being identified by the FBI.”  But in the billions of messages already sent through Snapchat are a few people who didn’t have their lives ruined because of something they shouldn’t have shared.

The media can continue to ridicule the “sexting app” that so many young people are using, but they are entirely missing the point.  The same generation being blamed for the supposed “death of privacy” has become wiser than those who are criticizing them.

In a candid admission at the Milken Conference this year, former UK Prime Minister Tony Blair, when recalling his college days playing in a band, told the audience, “thank God social media didn’t exist then, because if it did, I wouldn’t be here.”  The Internet wasn’t built with security in mind, and we’re still dealing with the consequences of that.  The next generations are going to be the ones who pay the true cost of the design decisions we make today.

Tarun Wadhwa is a writer, researcher, and entrepreneur working at the intersection of technology and public policy. You can follow him on Twitter – @twadhwa – or contact him directly at VB@tarunwadhwa.com. Also, check out his upcoming book, Identified, which will be out later this year. 

Image credit: Shutterstock/Shocked man

According to a test by Ars Technica, Microsoft is intercepting, decrypting, and reading at least some Skype messages — to the point where URLs embedded in Skype chat are being visited by machines at IP addresses belonging to Microsoft … most likely a bot, but potentially a human being.

“And this can only happen,” Ars’ security expert Dan Goodin writes, “If Microsoft can convert the messages into human-readable form at will.”

Skype currently uses 256-bit AES encryption to secure communications between users, which is considered very secure. Secure, perhaps, but not necessarily private. When Ars sent messages via Skype containing four web links created specifically for this experiment, two of them were accessed by a Microsoft-controlled machine.

Skype’s privacy policy openly states that Skype may check instant messages and SMS texts for spam, fraud, or phishing attempts, and, in some cases, have a human being check them. Ergo, we can decrypt our own encryptions and can know what you say and know what you send.

Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links. In limited instances, Skype may capture and manually review instant messages or SMS in connection with Spam prevention efforts. Skype may, in its sole discretion, block or prevent delivery of suspected Spam, and remove suspicious links from messages.

That’s not good if you have an expectation of and desire for privacy. And now that it’s obvious that Microsoft itself can read your private messages, the question is, who else has that ability?

Almost a year ago, the FBI requested private backdoor access into multiple communication and social networks, including Facebook, Twitter, and, yes, Skype. Wiretaps are increasingly useless, the FBI realized, and modern communications were defeating the bureau’s attempts at surveillance. Whether the requested access was ever granted is unclear, but Microsoft has a patent on ways to make it happen.

And Skype’s terms of use also say the company can route your communications to law enforcement agencies:

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone’s rights, property, or safety.

However, if you want more security — and privacy — on Skype, you can have it. You simply have to pre-encrpt any messages (as a Polish professor discovered) and then decrypt them on the receiving end.

I won’t do that, and most Skype users won’t do that, probably because we’re not discussing matters of national security or engaging in nefarious behavior. But it’s disappointing, if only the cold slap of reality in a dangerous and violent world, that private isn’t really private any more.

And it would be nice to know the exact limits of Skype privacy and security.

I have talked to a Microsoft representative about this story and am awaiting a statement or comment from the company.

Actually, it’s not that difficult, according to mobile security company Fixmo’s CEO, Rick Segal.

“Despite the Bush years of let’s go play in another war, there’s a very tight, close alliance between Canada and the USA,” Segal says.

He can get away with saying that sort of thing more than most Canadians, because the CEO of this Toronto-based startup is a ex-patriate American who has spent the last 15 years in Canada. He’s building his business in Ontario because, he says, of the tax credits for high-tech companies, the influx of talent from the most-populous Canadian province’s 50+ universities, and the ability of Canadian governmental agencies to give him personalized attention in his efforts to break into new markets.

Such as sponsoring him to attend expensive international conferences like the one where he met “some NSA folks.”

Fixmo makes mobile security products that allow organizations to safely offer BYOD (bring your own device) policies that don’t imperil sensitive data and networks. The company, which had just three employees just a few years ago, offers an encrypted sandbox, digital fingerprint technology that can detect tampering to your mobile operating system, and compliance breaches like the installing of unauthorized apps on both iOS and Android. Built with 256-bit encryption, two-factor authentication, and remote wipe capability, Fixmo’s products are sold largely to governments.

And, interestingly, they’re built on software originally developed by the NSA.

“The US government and security agencies tend to view Canada as one of its own,” Segal says. “Eyebrows don’t get raised when a Canadian company does business with NSA … there’s no ‘it’s a foreign country’ kind of thing going on.”

It started — as so many things do — in Vegas.

While attending the wireless industry trade show CTIA in March 2011, Segal met the men in black who represent the NSA’s Technical Transfer Program, which is in place to commercialize technologies and products developed inside the agency. Interested in Fixmo’s existing security products, the NSA decided the company was a good bet to do business with.

After developing a relationship that resulted in a technology transfer in which Fixmo licensed agency-developed security code, Segal started building shippable products based on the NSA technology. Fixmo’s products, the company’s sales literature highlights prominently, “have been developed as part of a cooperative research and development agreement with the U.S. National Security Agency.”

That commercialization has culminated in the sale of those products back to the three-letter agencies.

“Seventy percent of our customers are government agencies like the NSA, FBI, and Homeland Security,” Segal says, noting a contract with the US air force that completed last week. “One of our clients has 700,000 seats.”

The company’s other clients include businesses in the financial services and healthcare industries, both sectors in which privacy, security, and compliance with corporate policies are paramount.

photo credit: DonkeyHotey via photopin cc

Disclosure: I’ve been invited by the government of Ontario to explore the startup ecosystem in Toronto, Waterloo, and elsewhere, and this post is part of that series, and Ontario has paid for this trip. My reporting, however, is my own.

The bombings in Boston and the subsequent investigation of the suspects will likely revive the debate about pervasive security camera surveillance in the U.S. Stationary security cameras near the bombing location evidently gave police a key lead in identifying the suspects, as the past day of breaking news reports has revealed.

Such technology has long been envisioned in Hollywood films, ranging from comic romps like The Truman Show to paranoid dystopias like Minority Report. The idea was popularized in George Orwell’s novel, 1984, about life in a totalitarian state. With the rise of terrorist attacks and improved technology, security cameras have become part of everyday life for many.

As soon as the bombs went off and the investigation was under way, law enforcement agencies such as the FBI asked the public for their photo evidence. In the first four days of the investigation, more than 2,000 tips of all kinds came in. It appears that photos taken by a Lord & Taylor store provided key evidence in this case.

Civil libertarians are likely to be on the defensive in their argument that pervasive cameras represent an invasion of privacy and an unwarranted search. In the United Kingdom, surveillance cameras have been in use for more than a decade, and they number in the millions. China has also installed large numbers of security cameras, but those countries clearly have different positions on privacy and freedom.

Organization such as the Surveillance Studies Network have used such monitoring for years. They define a “surveillance society” as the one that engages in the “extensive collection, recording, storage, analysis and application of information on individuals and groups in those societies as they go about their lives.” The American Civil Liberties Union has set up a site dubbed youarebeingwatch.us, and Observing Surveillance has also attempted to raise awareness about surveillance cameras.

The ACLU site carries a story that notes that one crime has been solved for every 1,000 cameras in the U.K. Another story, citing a study by New York University, questions whether cameras actually result in reduced crime.

“We already live in a state of Big Brother and Little Brother,” said Dave Maass, the media relations coordinator for the Electronic Frontier Foundation in an interview with VentureBeat. “Little Brother takes the form of people using their own cameras. We are sort of monitoring ourselves. That is an indicator of where we are as a society.”

Considering that every smartphone has a camera, he has a point. He also notes that more surveillance cameras, operated by the government in stationary locations, might not have prevented the bombings. It is often too much work to scan a crowd for faces and the cameras become more useful after the fact. In that respect, people should understand the limitations of general, compared to targeted, surveillance, Maass said.

Boston law enforcers focused on activity around the Forum Restaurant on Boylston Street. Those video cameras captured the faces of the suspects, but they were blurry. The police asked if anyone recognized the suspects, hoping that crowdsourcing the investigation would turn up names. That suggests that they (or other law enforcement agencies) didn’t possess their own accurate face-recognition software that could come up with the answers automatically (or that it didn’t work on what images they had).

Photos from the public emerged that gave sharper images of one suspect at the scene of the crime. Of course, security cameras are only part of the investigation effort, and they can lead the public astray, particularly if subjects are misidentified or wrongly accused. Faster communication technology helped spread information quickly, but, in one case, it came up with the wrong suspect. Another person was reportedly afraid to leave his house because a newspaper misidentified him as a suspect.

Face recognition is notoriously difficult. One tech executive told me that his company tried to reduce the data processing problem by reducing the facial imagery to 3D graphical representations. But the problem was that on every plane, the face-recognition software would come up with one person who looked like a known terrorist. Most likely those were false positives. Face recognition also works on people who are known to law enforcement, not just anyone walking down the street. It is a huge “big data: challenge.

Surveillance technology has been evolving for a long time, with a lot more dollars going into it since 9/11. Imaging chip companies such as Pixim in Silicon Valley have been working on high-dynamic range imaging for years. Cameras equipped with such chips can adjust for any kind of lighting situation. So if there are dark and bright images in the same scene, Pixim’s chips can adjust the image so you can make out the details in both the dark and light sections. That helps improve the recognition of faces.

Based on news about the investigation, the blurry photos were still evidently clear enough for people who knew the suspects to recognize them.

Here is the video camera imagery posted by the FBI on Thursday.

Shortly after two bombs exploded near the finish line of the Boston Marathon on Monday, the FBI called on the people of Twitter to submit photos, videos, and any other information about the scene.

Some said this would be the first crowdsourced crime investigation. And people on 4chan, a famously anarchic message board, took the crowdsourcing into their own hands, combing through photos and video and posting annotated pictures in an attempt to finger the suspects on their own.

Score one for traditional police work. The FBI released photos today showing its two main suspects in the Boston Marathon bombings. None of the photos match the 4chan’s picks.

In the aftermath of the bombings, the Internet lit up with attempts to raise funds for victims, connect people who met on the track, and find the individuals who committed such an ugly crime. But “suspects” were called out incorrectly. The New York Post printed an image of two men with backpacks at the race, calling them “BAG MEN” and claiming that law enforcement was on the hunt for them. It turned out not to be the case, causing Reddit to delete any posts that linked to the image and ban anyone who attempted to upload the story.

4Chan went on its own search for the individuals and created the “4Chan Think Tank,” an Imgur page with over 50 images of people it felt were suspicious.

With the FBI’s release today, however, we see that none of them really match up. Some images do get close with similar clothing styles, baseball caps, and more. But the FBI pictures have major differences from 4chan’s images. For example, a figure seen repeatedly in 4chan’s pictures has a white baseball cap, like the one in the FBI photo, but their clothes don’t match.

For now, crowdsourced detective work hasn’t gone much farther than pointing fingers. Perhaps the FBI involved crowdsourcing in some way, perhaps using tweeted pictures, YouTube videos, and more to put the pieces together, but at some point the general public just doesn’t have as many resources to hunt these guys now.

So, let’s ask ourselves. Do citizen detectives serve the public — or just promote fear?

Photo credit: FBI

Bloomberg broke the story and said that Google is the second company to fight back against NSLs. Challenges are rare — of 300,000 government-issued NSLs since 2000, only a handful of companies have resisted. The letters enables intelligence organizations to send secret requests to Web and telecom companies to gather data that is “relevant” to an investigation. They do not need a judge approval and come with a gag order, so people who receive the requests cannot talk about them.

Google filed a petition to “set aside the legal process,” citing a provision that enables judges to modify or deny NSLs that are “unreasonable, oppressive, or otherwise unlawful.” It is unknown why Google received the request, but in a blog post earlier this month, Google’s director of law enforcement and information security Richard Salgado said the company has been “trying to find a way to provide more information about the NSLs we get — particularly as people have voiced concerns about the increase in their use since 9/11,” and would include data about NSLs in their Transparency Report.

While civil rights groups aren’t always thrilled about how Internet companies use their customers’ private data, they are responding positively to Google’s stance against unwarranted government probes. The Electronic Frontier Foundations attorney Matt Zimmerman told Bloomberg “the people who are in the best position to challenge the practice are people like Google. So far no one has really stood up for their users.”

The FBI’s ability to issue NSLs was expanded under the Patriot Act. In 2007, the Justice Department found “serious misuse” of the FBI’s surveillance powers through its unlawful obtainment of information. Illston, Google, and others are taking steps to challenge the NSLs on the basis that they are “unreasonable, oppressive, and otherwise unlawful.”

Photo Credit: Cliff 1066/Flickr

Apple’s iMessage product is stymieing the U.S. Drug Enforcement Administration–  in that the DEA can’t intercept messages sent though the tool.

The government agency released an intelligence note to law enforcement, acquired by CNET today, saying specifically that iMessages cannot be intercepted between two Apple devices. Specifically, the DEA cannot intercept these messages using traditional trap and trace devices, pen register devices, or wiretapping data collection through “Title III interceptions.”

Apple introduced iMessages in 2011 as a way for people with Apple devices — be it iPhones, iPads, or Macs — to message each other without paying for text messages on the person’s carrier plans. The messages are encrypted between the two devices and cannot be traced by the carrier.

FBI director Robert Mueller has spoken about such gaps, which are called “going dark,”  in communications collected from a suspected criminal. As CNET notes, Mueller spoke with the House of Representatives recently to say that these gaps are “growing and dangerous” and that laws need to be put in place that help the FBI get the information it needs while simultaneously protecting individual privacy.

The DEA seemingly first got wind of the issue with iMessage in February of 2013 when the San Jose Resident Office was unable to capture all the messages from a criminal.

“The significance of the iMessage transmission is investigators may erroneously believe they have a complete record of text transmissions if they are unaware that iMessage communications between smartphones are not captured or provided by the cell phone service providers,” the DEA said in its intelligence note.

We have contacted Apple for comment and will update this post upon hearing back.

iMessage image via Robert S. Donovan/Flickr

A judge ruled today that the government cannot assign gag-orders to national security letters (NSL) — the requests for data and other information that the U.S. government uses to get details on about specific people in the name of national security.

Judge Susan Illston made the call today, saying the gag-orders associated with such letters impede freedom of speech, and that the letters are overall unconstitutional. The judgement came after a telecommunications company challenged one of these orders, saying it wanted to go public with the fact that the government was requesting information. The company, which remains unnamed, was represented by the Electronic Frontier Foundation (EFF).

This is a big step for many who think these letters result in too much secrecy around government surveillance and give agencies like the FBI the ability to hide behind a curtain. Companies like Google and Facebook create transparency reports showing government data requests from around the world, but have not been able to include information about national security letters because of their nature.

“The government’s gags have truncated the public debate on these controversial surveillance tools. Our client looks forward to the day when it can publicly discuss its experience,” said Matt Zimmerman, the senior staff attorney for the EFF, in a statement.

The judge is giving the U.S. government a grace-period of 90 days to allow them to appeal the decision.

Many have already taken to Twitter in support of the decision. Researcher Jacob Appelbaum tweeted, “I look forward to the court order that ensures all current and past people targeted by FBI NSLs are notified and encouraged to file suit.”

hat tip Wired; FBI image via cliff1066™/Flickr

Wojciech Mazurczyk (10 points if you can pronounce that name) has found a way to hide data in the 70-bit packets that Skype sends by default when it’s detecting silence … when you’re not talking. Skype itself does nothing with these packets when it receives them, but Mazurczyk’s team has discovered a way to intercept and decode them anyway, according to New Scientist.

An even higher level of secrecy might seem like overkill for an already-encrypted call, but Skype is owned by Microsoft, and we know that 3-letter American government agencies want the ability to monitor your digital communications on Skype and social networks … and have asked Microsoft, Facebook, and others for backdoors in their communications technologies.

Microsoft does have a patent application in process called “Legal Intercept” that enables the ability to record “any kind of voice-over-Internet-protocol (VoIP) communications” by re-routing messages over “a path that includes a recording agent.”

It’s unclear at this point whether law enforcement agencies are actually intercepting and listening to Skype conversations, but the Skype privacy policy does seem to allow for it, including the actual “content of instant messaging communications, voicemails, and video messages” in a long list of data that Skype collects on its users.

And this clause basically says that what you do or say on Skype could be disclosed and, I suppose, used against you in a court of law for basically any reason, including the fairly nebulous “protecting Skype’s interests:”

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone’s rights, property, or safety.

All of which goes to show why security researchers might be tempted to find ways to use probably the most popular VoIP app on the planet without airing their private conversations for anyone in law enforcement to enjoy.

A Microsoft representative I contacted for comment could not speak about this issue immediately (it is, after all, the weekend). A Skype representative, similarly, is conferring with the company’s chief security officer, who is based in the UK, before commenting.

Mazurczyk will be presenting his team’s work and findings at a steganography conference this summer in France.

photo credit: Chris Pirillo via photopin cc, Vince Welter via photopin cc

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Last week Anonymous claimed it plucked 12 million unique identifiers associated with iPhones from an FBI laptop. Today, however, a Florida publishing company says it was actually its servers that were hacked, according to NBC News.

On September 4, Anonymous announced that it stole 12 million UDIDs after hacking into what seemed to be a poorly protected FBI agent’s laptop. The group released one million of those numbers as proof that it had actually obtained them. The incident raised questions of government surveillance and what the FBI would be doing with all those UDIDs (which on their own don’t provide give any personal information such as credit card numbers or passwords).

Quickly following the hack, both the FBI and Apple responded. The FBI said it had “no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” The agency went on to call the claims “totally false.”

Apple later said it hadn’t given the FBI any of the UDIDs and that the FBI had not requested any of them.

According to NBC News, publishing company Blue Toad said it ran the publicly available UDIDs against its own database and found they matched up with 98 percent accuracy. That was enough to convince the small company that its own servers had been hacked, and it has called foul on Anonymous’ claims. The company says it has already reached out to law enforcement but does not plan on contacting those who may have been affected.

As per its website, Blue Toad lets people publish content such as a magazine to a catalog or brochure using its technology. It also works with app development.

“As an app developer, BlueToad would have access to a user’s device information such as UDID, device name, and type,” Apple spokeswoman Trudy Muller told NBC News. “Developers do not have access to users’ account information, passwords, or credit card information, unless a user specifically elects to provide that information to the developer.”

via NBC News; Anonymous image via skenmy/Flickr

To say it was a busy week in technology and gadget news is a bit of an understatement.

The four-day work week was jam-packed with a smattering of smartphone, e-reader, and tablet press events and revelations. If that wasn’t enough, Y Combinator picked a bit of a fight with a onetime friend. Oh and that monstrous Facebook-Instagram deal finally closed. It’s about darn time!

In all the chaos, we didn’t get to a few bits of news, some juicy rumors, and an Apple leak or two. Here are our picks for stories that you should totally Pocket or Instapaper (yes, we just used these services as verbs) for your weekend reading.

New iPods, yo!

Apple has a whole lot more to show off Wednesday than a brand new iPhone. Sources told 9to5Mac that the company will also unveil new iPods in all shapes, sizes, and colors.

Expect a new iPod shuffle in eight different colors (perhaps that explains Apple’s rainbow event decor), a new, possibly taller iPod nano (also in eight colors), and two redesigned iPod touches at high price points.

Get the tissues out, Twitter for Mac is on the chopping block

The word on the street, according to blogger-turned-investor MG Siegler, is that Twitter has made the decision to stop supporting Twitter for Mac.

“They won’t kill it outright, but no further updates,” Siegler tweeted on Thursday.

Mr. Siegler’s tweet hit a nerve with Twitterers. The tweet was retweeted 703 times and favorited by 97 folks.

For what it’s worth, blogger John Gruber said he too has heard the same sad whispers. “Worst part is, they may even have a retina-ready update ready to release — but they’re just going to keep it in their pocket out of spite. They want people to use the website,” Gruber wrote today.

Based on what we’ve heard from a few friends, these rumors are pretty legit. Twitter, however, has yet to comment on the matter.

We totally get that Twitter wants to drive people to the web app to rake in the big bucks from advertisers, but yea, it really is the end of an era.

Obama wins in race for most tweets per minute

The President knows how to get your Twitter juices flowing. Barack Obama generated 52,000 tweets per minute during his address at the Democratic National Convention. Mitt Romney’s speech didn’t get quite the same response. The Republican nominee generated 14,000 tweets per minute.

It’s probably worth noting that 67 percent of the Twitter conversations related to Obama’s address were positive, according to data compiled by social media analytics firm Crimson Hexagon.

Google refuses to help feds unlock pimp’s phone

Remember when we told you that the FBI was trying to force Google into unlocking an alleged pimp’s cellphone? Of course, how could anyone forget such a story? Well, it turns out that Google ignored the warrant and refused the request. Sorry, no pimp data for you, FBI.

Google’s decision sparked a story in the Wall Street Journal about the muddy legal standards associated with third-parties unlocking smartphones on behalf of the government. Basically, it’s one hairy mess.

If the feds can’t get into a suspect’s phone they’ll turn to software makers for help, and sometimes they’ll come with a warrant. Whether the law actually requires companies such as Google and Apple to comply with these warrants isn’t all that clear.

Kindle Fire HD burns Google

Amazon stepped on a lot of toes when it revealed its Kindle Fire HD, but Google got the double rub. Not only will the Kindle Fire HD go head-to-head to with Google’s Nexus 7, but the device will also direct mobile searchers to Microsoft’s Bing search engine. Burn.

We picked up a Kindle Fire HD on Wednesday and noticed that our web queries defaulted to Bing’s search engine. We found this to be quite curious indeed, and it turns out that our Binging experience was no accident at all.

AllThings D confirmed with Amazon that Bing is the search engine of record for the Kindle Fire HD.

Photo credits: Kevin Rose/Instagram, Crimson Hexagon, DavidDennisPhotos.com/Flickr

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Apple responded today to the hack on 12 million UDIDs, or the unique number associated with iOS devices, after hacker collective Anonymous said the bounty was stolen from an FBI laptop.

“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” said Apple spokesperson Natalie Kerri in a statement to All Things D.

Yesterday, Anonymous released one million of the stolen UDIDs and promised that it could release the other 11 million. The group, which is known for hacking in the name of a political or moral position, claimed the loot was lifted from a laptop owned by an FBI agent. The hackers allegedly were able to access the data through a vulnerability in Java.

The FBI followed the hack with its own statement yesterday, saying “there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

The agency also tweeted about the issue, calling Anonymous’ statements “totally false.”

ESET researcher Stephen Cobb wrote about the hack this morning, saying he found his wife’s information in the released one million UDIDs, which can be accessed following instructions Anonymous posted in Pastebin. Cobbs says that he sees “no evidence” that Apple’s security has been breached and thinks the data might not be FBI-based either.

“Of course, the interwebs are abuzz with speculation about government surveillance, but the file could also be from an ad agency or data broker,” said Cobb in a blog post. “Right now I am not too concerned that this particular group of hackers has the data. They seem determined to use it to make a point, not a profit.”

via All Things D; Tim Cook image via igrec/Flickr

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

The Federal Bureau of Investigation says hacker group Anonymous is lying about retrieving 12 million UDIDs, or the unique identifiers associated with Apple mobile devices, from an agency laptop.

This morning, the hacker collective released one million UDIDs along with usernames, addresses, phone numbers, and other pieces of personal information. It reportedly did this by exploiting a vulnerability in Oracle’s Java, which has been having problems of its own lately, to access a computer allegedly owned by an FBI agent. But the federal agency does not agree.

“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed,” the FBI said in a statement. “At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

The agency also tweeted about the incident saying, “Bottom line: TOTALLY FALSE.”

It’s understandable that the FBI would be up in arms about this one. If Anonymous’ story is true, it raises the question as to why an FBI agent would have this many UDIDs on a laptop, and why the data on that laptop wasn’t otherwise secured. It also nods at the growing concern over surveillance of U.S. citizens, a hot topic at conferences like Def Con where one former National Security Agency employee said the majority of us are under watch.

One Anonymous bull horn, AnonymousIRC, tweeted, “You know you’re doing something right if @FBIPressOffice throws caps at you on twitter to deny an #Anonymous statement,” followed by, “What a day. @FBIPressOffice screaming in caps at us while @AdrianChen is wearing a tutu. Really need more of those. #ForTheLulz.”

In its press release regarding the hack, Anonymous said it would not answer any press questions unless Gawker writer Adrian Chen wore a tutu and put a shoe on his head for the Gawker home page. As you can see, he took one for the team.

FBI Image via JLaw45/Flickr

U.S. authorities want to give alleged Megaupload kingpin Kim Dotcom access to just a single 40-page document out of 22 million e-mails before his extradition hearing, according to Stuff.co.nz.

Dotcom has become a bit of an Internet folk hero as of late and now is acting as a larger-than-life figure fighting overreaching government charges. His file-sharing service Megaupload was shut down in January by U.S. and New Zealand authorities as part of a massive sting operation against sites that enabled copyright infringement. The two governments had Dotcom arrested, seized his assets (illegally, according to a judge), and filed an extradition request to have him sent to the U.S. from New Zealand. Since that time, he has attracted the support of Apple co-founder Steve Wozniak, who says the case against Dotcom is “weak.”

Now the FBI does not want to give Dotcom access to its large stores of evidence before his Aug. 6 extradition hearing. Instead, it wants to provide him and his team with a 40-page document that summarizes 22 million e-mails that the U.S. is using as evidence. The U.S. argues that Dotcom does not need to see all the evidence against him before he faces trial in U.S. courts.

Dotcom’s legal team said disclosure of all the evidence against Dotcom is necessary to defend him during the extradition hearing. Without all the evidence, his lawyers said, they would have “their hands tied behind their backs.”

Dotcom recently blamed U.S. Vice President Joe Biden for having authorities target Megaupload. He also blames MPAA (Motion Picture Association of America) president and former U.S. Senator Chris Dodd.

Next up in the case, a U.S. court will hear a motion from Dotcom’s lawyers on July 27 to dismiss all of his charges, according to New Zealand’s Times Live. We don’t expect anything to come of it.

Kim Dotcom photo illustration: Jolie O’Dell/VentureBeat

Hundreds of thousands of people will likely be kicked off the Internet next week when the FBI shuts down servers hosting the “DNSChanger” virus.

The group behind the DNSChanger virus, which affected some 4 million computers around the world, was shut down in November by the FBI, but the virus still persists on many PCs. In the last stage of the FBI’s Operation Ghost Click, it will shut down temporary DNS servers on Monday, July 9. When those servers are shut down, it will kick off anyone who still has the DNSChanger virus on his or her machine.

There are still an estimated 275,000 infections around the world, a considerable drop from the 650,000 machines that were still infected in November. The drop can be attributed to efforts by the FBI and computer security companies, which have prompted people to check for the virus and remove it.

If you are concerned about your computer having the virus, Trend Micro has instructions for both PC and Mac users to check for it.

Image credit: John David Bigl III/Shutterstock

The U.S. Federal Bureau of Investigation arrest 24 hackers today, in a string of cyber crime that could have cost victims $205 million.

According to Reuters, the FBI was able to find the hackers after creating a forum called Carders Profit in 2010. The website acted as a black market for selling personal data such as hot credit card credentials. The agency prevented the sale of over 411,000 credit and debit card numbers. Of the 24 hackers arrested, 11 were from the United States. All those arrested were male between the ages of 18 to 25.

One of the arrested hackers named Mir Islam, is said to be a part of a new cyber criminal group UGNazi. Islam, who is otherwise known as JoshTheGod, shows up on the UGNazi Twitter account as one of the more prominent contributors. The group recently claimed to have taken Twitter down last week. The social network, along with its content manager Tweetdeck, went down around 9 am Pacific time on June 21, and was quickly returned to life about an hour later. The company denied the hacking and blamed its downtime on, “a cascaded bug in one of our infrastructure components.”

Islam is accused of offering to sell over 50,000 stolen credit card numbers.

via Reuters

IPv6 might be good for the Internet, but it’s throwing a wet blanket on law enforcement work, the FBI says.

Internet Protocol version 6, as it’s properly called, is going to save the web from running out of addresses. In the current version, IPv4, we only have 4.3 billion addresses to issue to every web-connected device, including smartphones.

That supply was set to run out, but IPv6 will create a huge number of addresses and stave off disaster for another few years at least (God willin’ and the crick don’t rise).

However, the glut of new addresses poses problems for FBI agents and other law enforcement officials who need to conduct investigations on the web to thwart, say, terrorists and child pornographers.

In fact, an FBI spokesperson told Cnet, IPv6 will likely “have a profound effect on law enforcement,” perhaps requiring some new tools and software for hunting down the baddies out there on the web.

Law enforcement at all levels frequently send requests for information to Internet service providers and web-based companies, but the IPv6 changes will make responding to those requests a longer, more difficult process. ISPs and web services will have to gather and store much more information on individual customers and devices, such as source ports, addresses, and times.

Not only does this require more storage space (ergo more expense) for the ISPs and web companies; it’s also unlikely to sit well with privacy organizations and many consumers.

World IPv6 Day is coming up next week, and IPv6 adoption has been heating up over the past several months. Last November, we reported that IPv6 adoption had skyrocketed by 1,900 percent, largely due to GoDaddy’s efforts.

IPv6 adoption is a key issue for computer networks, but remember, not all computers look like computers these days. The “Internet of Things,” the network of tablets, smart TVs, web-connected refrigerators, talking robot dogs, etc., depends on having enough IP addresses to go around, and it depends on IPv6 to become a reality.

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

The FBI is demanding Google unlock the Android phone of Dante Dears, a pimp who has allegedly violated parole by operating a prostitution business from his cell phone.

After failing to gain access through the Android smartphone’s pattern lock, the FBI filed a warrant authorizing it to force Google to open the phone. Law enforcement officials were let to this action by an anonymous tip that Dears was still prostituting young women, despite his recent time in jail for the same.

Dears was released from jail in May 2011 after being charged as a founding member of prostitution group “Pimpin’ Hoes Daily,” or PhD (we’re sure his doctoral thesis was on human anatomy). The group is considered a “criminal street gang” in California. After his sentencing in 2005, Dears was let out on parole four years later in 2009. He violated parole, was sentenced to another one and a half years in jail, and ultimately released last spring. Given his previous violation, Dears was forced to wear an electronic GPS ankle monitor, forcing him to turn to an Android phone to run his sex business.

The FBI wants Google to provide any subscriber information associated with the phone, including name, address, billing information, credit card numbers, social security number, account login credentials, and any other identifiable information. The agency would also like details on accessed websites, the duration of time on the Internet, any contacts in the phone’s address book, text, photo, and video messages, instructions on how to override the pattern lock, search terms used, and any GPS locations associated with the phone.

As part of his current parole, Dears gave up his search rights under the Fourth Amendment, which allowed FBI agents to find the evidence needed to for the warrant. Security researcher Christopher Soghoian makes the point, however, that this may go farther than forcing Google to open the Android. Phones are constantly receiving information. New phone calls, e-mails, and text messages intended for Dears will be sent to the phone after it is unlocked. The FBI is therefore intercepting those messages on the way to the intended receiver. To move forward with the investigation, the FBI may need to get a wiretap order.

via Ars Technica; Prostitute image via Shutterstock

The FBI has revealed that there were $700,000 worth of fraudulent credit card charges after hacktivist group Anonymous stole nearly 200 gigabytes of data, including credit card numbers, from security firm Stratfor.

“At least $700,000 worth of unauthorized charges were made to credit card accounts that were among those stolen during the Stratfor Hack,” said Mahil Patel of the FBI to a judge overseeing the Stratfor case.

Stratfor, which has a number of high-profile clients including the Department of Defense, Lockheed Martin, and Bank of America, was breached in December. Soon thereafter hacker Jeremy Hammond was arrested for leading the attack.

Anonymous stole a large amount of user names and passwords, in addition to some 60,000 credit card records, after exploiting vulnerabilities to reach Stratfor’s servers. At the time, Anonymous said it would use the credit cards to make charitable donations — money that would obviously never see the hands of the needy. One VentureBeat tipster claimed Anonymous actually charged $300 worth of hooded sweatshirts to an account.

The damages may still be growing, however. The FBI explained that the $700,000 figure did not include any charges on credit card records that have not yet been reviewed. The number Patel offered the judge only referenced records reviewed between December 6 and early February.

In addition to the credit card numbers and other personally identifiable information, Anonymous also stole emails from Stratfor executives, including chief executive George Friedman. These emails were subsequently fed to Wikileaks which, with participation from a number of publications around the world, began publishing the emails in late February. Some emails held what Wikileaks considered damning information, including odd nicknames such as “Hizzies” for members of Hezbollah and “Adogg” for referencing Iran president Mahmoud Ahmadinejad.

via SecurityWeek

Anonymous image via Shutterstock

The indictment of five purported members of the LulzSec hacker group has been released, along with comments from the unexpected informant: assumed LulzSec “leader,” Sabu (pictured above).

LulzSec is best known for its “50 days of Lulz,” during which the group performed daily cyber attacks on a number of high-profile companies such as PBS and the U.S. Senate public website. The group disbanded thereafter, though its members probably were absorbed into hacktivist group Anonymous. At the time, LulzSec and Anonymous were reportedly “bros.”

“Bros” must be a loose term, as Sabu, or Hector Xavier Monsegur, was unmasked by law enforcement in June and used to find other members’ identities. For those who have followed the group on social networks such as Twitter, the revealed names are familiar. Jake Davis, known as topiary, was arrested in the UK, spurring attacks done in the name of “Free Topiary.” Ryan Ackroyd who was known on Twitter as lolspoon, and referred to as Kayla, also resided in the UK. Darren Martyn was best known as pwnsauce and Donncha O’Cearrbhail, known as palladium, both lived in Ireland. Jeremy Hammond was better known as Anarchaos.

Hammond is listed in a separate complaint from the larger indictment mentioning the first four.

The indictment claims the group was first active under the name “Internet Feds,” responsible for the attacks on Fine Gael, HBGary, and Fox. That accounts for Count One of the indictment. Count Two follows their actions under the title LulzSec. It reads:

“Although the members of LulzSec and their co-conspirators claimed to have engaged in these attacks for humorous purposes (“lulz” is Internet slang which can be interpreted as “laughs,” “Humor,” or “amusement”), LulzSec’s criminal acts included, among other things, the theft of confidential infromation, including sensitive personal information for thousands of individuals, from their victims’ computer systems; the public disclosure of that confidential information on the Internet; the defacement of Internet websites; and overwhleming victims’ computers with bogus requests for information (known as “denial of service” or “DoS” attacks).”

The indictment specifically mentions LulzSec’s attacks on Sony Pictures, PBS, Infragard-Atlanta, and Bethesda Softworks. The offenses within each attack are obvious: stealing personal information, including usernames, passwords, dates of birth, and more, as well as publishing them publicly in press release form.

It also states that the highly-followed Twitter handle @LulzSec was created by Jake Davis (topiary).

Check out the indictments, individual complaints against Jeremy Hammond and Donncha O’Cearrbhail, as well as Sabu’s information below:

Overall Indictment

Hector Xavier “Sabu” Monsegur Information

Jeremy Hammond (a.k.a. Anarchoas) Complaint

Donncha O’Cearrbhail (a.k.a. palladium) Complaint

Scribds via Gizmodo, image of Hector Xavier Monsegur via Fox News

Anonymous hacker via Flickr commons

It’s the sort of gamesmanship that keeps readers turning the pages in a spy novel. The FBI says that Anonymous, the loose-knit collective of global hackers, intercepted a highly sensitive call between American cybercrime experts and their counterparts at Scotland Yard discussing, what else, Anonymous.

“The FBI might be curious how we’re able to continuously read their internal comms for some time now,” Anonymous teased in a Twitter message.

The 15 minute recording was released on Pastebin and then posted to Youtube. “I’m not sure if we’re the only two on here right now,” says an American agent named Bruce.

“Don’t say anything too bad, I’m on here with Matt,” replied his counterpart from Scotland yard. The group has a chuckle, unaware of the irony.

Anonymous also released an email with the time and password for the conference call, so they may have simply dialed in, rather than using more sophisticated techniques to intercept the conversation.

During the call the investigators discuss how they might proceed against Ryan Cleary and Jake Davis, two British suspects who are set to appear in court as suspected members of Anonymous. Highly sensitive tactics are discussed for when Scotland Yard might move to make further arrests and the evidence they are planning to bring to the trial.

Pop star Will.i.am endorsing Megaupload

In putting the kibosh on MegaUpload, federal prosecutors arrested seven men and froze millions in assets. With their funds in limbo, MegaUpload can’t pay the costs to the companies that store its data, and a letter from the federales says that these companies, Carpathia Hosting Inc. and Cogent Communications Group Inc., can begin deleting the files stored with them as early as this Thursday.

This can’t be welcome news to the people who claim to have uploaded important and perfectly legal files to MegaUpload, and are currently in the process of trying to sue the FBI for seizing their data. To be fair, that group of affected users is spearheaded by a pirate site, which doesn’t exactly lend credence to the idea that there was a large group of users relying on MegaUpload for legit purposes.

Beyond the collateral damage to MegaUpload users, the loss of data might have a more important impact, the destruction of evidence. MegaUpload’s attorney, Ira Rothken, argues that the files stored with these third-party companies may prove valuable in his defense and that it’s in the best interest of all parties to ensure they don’t disappear. “We’re cautiously optimistic at this point that because the United States, as well as Megaupload, should have a common desire to protect consumers, that this type of agreement will get done,” he told the AP.

The FBI copied some data during its seizure, but left the bulk untouched. The government, after seizing MegaUpload’s assets, hasn’t stepped forward yet to assume the costs of keeping this data while the trail moves forward. It’s a reminder that criminal investigations haven’t caught up with the reality of today’s data centers.

Remember that in June of last year, the FBI knocked dozens of innocent sites offline when it seized servers at a hosting facility in Reston, VA. Perhaps the big takeaway is that when it comes to policing the criminal use of data, there is a good chance of collateral damage.

The Federal Bureau of Investigation is creating a tool that will crawl Facebook, Twitter and more to catch emergencies before they happen.

According to a posting on the Federal Business Opportunities website, the FBI’s Strategic Information and Operations Center (SOIC) is feeling out the IT industry to see if anyone can create a “social media application.” The application should be able to spider through public content posted on social media sites such as Facebook and Twitter. It should also be intelligent enough to pick out certain key words and phrases that indicate a certain event is taking place. The point of the application is to give the government readiness when dealing with emergencies, terrorist situations and other situations needing immediate response.

“The application must be infinitely flexible and have the ability to adapt quickly to changing threats to maintain the strategic and tactical advantage,” the Request for Information said, “The purpose of this effort is to meet the outlined objectives…for the enhancement [of] FBI SOIC’s overall situation awareness and improved strategic decision making.”

The tool would be used in “reconnaisance and surveillance missions, National Special Security Events (NSS) planning, NSSE operations, SOIC operations, counter intelligence, terrorism, and more.

Cybercrime is also in the FBI’s mind when creating this tool. With onslaught of cyber criminals working in large groups, not necessarily in one place, social media has been used as a place for planning attacks. For instance, the hacktivist group Anonymous used Twitter to spread the word about denial of service attacks being used to take down the Department of Justice website last week.

While Facebook still remains a fairly private ground for content, firehoses like Twitter supply news the second it occurs. Indeed, we even tweet about important events before we even know they’re important. For example, one man even live blogged Osama bin Laden’s capture on Twitter without realizing what he was hearing. Catching and decoding these types of social media messages may act as essential insight for national security advisors.

In order to identify the location of these events the pulled data should be compiled on a map. This map may show where conversations are taking place, or potentially places they are referring to. The FBI’s preferred maps for use in the app are Google Maps, Google 3D Maps, ESRI and Yahoo Maps. The map’s user interface should include different layers including a layer for where US domestic terror events may be happening, data about worldwide terror events, where US embassies, consulates and military installations are globally, weather conditions, and a video of traffic in the area.

Think you’re up to the task? Check out the job listing here.

FBI image via Shutterstock, hat tip NewScientist

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

Megaupload founder Kim Dotcom and several other Megaupload employees were named in a 72-page indictment issued last week by the Department of Justice. The indictment against Megaupload alleges it is connected to a vast criminal enterprise that has caused more than $500 million in harm to copyright owners. If convicted, the company and its executives could serve many years in prison. Next up, Dotcom will face an extradition hearing on Feb. 22.

But the immensely popular site for file-hosting didn’t just allow users to share copyrighted movie and music files — many customers of the site used it to store and send personal files, just like you can on many other file-sharing sites on the web. When the site was taken down, Megaupload fans complained bitterly that the government had taken away access to legal files used for work, as noted by TorrentFreak.

In a response, the site Pirates of Catalonia, in collaboration with Pirate Parties International, is rallying former Megaupload users to sue the U.S. government. Pirates of Catalonia writes:

The FBI has caused incalculable damage, far in excess of the losses claimed by the content lobbies, in a fruitless attempt to prevent access to the media content hosted on Megaupload, some of which they claim to have been infringing copyright under US law. However, as much of the unlawful content will still be available via other services on the web, this action not only shows us the futility of these measures but also serves as a reminder that these files are not necessarily, nor have been shown to be, illegal in any country, including the US.

In contrast, by closing the service they have impeded the access to millions of archives of both private individuals and organisations, potentially causing huge personal, economic and image damages to a vast number of people. In addition, the Pirate Party understands they may have violated Articles 197 and 198 of the Spanish Penal Code by misappropiating personal data.

Users who have been affected by the Megaupload shutdown can sign the petition at Pirates of Catalonia’s Megaupload site.

Pop star Will.i.am endorsing MegaUpload

A strange confluence of events brought the question of how to deal with online piracy to the forefront of the American consciousness this week. Protests against the anti-piracy bills, SOPA and PIPA, were the major news of the day on Wednesday, with blackouts of big sites across the web. The very next day, MegaUpload, one of the largest sites allegedly enabling piracy on the internet, was shut down as the result of a two-year FBI investigation.

By taking unilateral action against a rogue site who’s owners were scattered across the globe, the DOJ showed that it doesn’t need new legislation like SOPA or PIPA to handle piracy. Advocates of the legislation have always said that piracy was costing America billions in jobs and endangering jobs. Stronger laws are needed, they argue, even if they might pose risks of censorship, chill investment in tech, and damage the fundamental architecture of the internet.

But the DOJ was able to rely on ProIP, a law passed back in 2008, in order to shut down MegaUpload and arrest seven of its founders. It also worked with the government of New Zealand, which denied bail to the four people arrested there, including the site’s infamous founder, Kim Dotcom. Extradition to the U.S. for trail is underway.

Of course, the debate over how best to deal with piracy is far from over. In response to the indictment of MegaUpload, the hacktivist group Anonymous took down the websites of the DOJ, the Motion Picture Association of America (MPAA), and the Recording Industry Association of America (RIAA) yesterday. And while MegaUpload and its partner sites, like MegaVideo, might seem like clear-cut villains, there is still a strong contingent that sees the sudden arrests of the MegaUpload executives as overreaching.

The comment thread on tech forum Hacker News provides a sample of this strain of thought. “It’s better to allow these sites to continue to exist and demand that they comply with the requests than take them down with the FBI or whatever law enforcement agency. The precedent is far too dangerous. Today it’s Megaupload, tomorrow it will be YouTube,” wrote user Kermit the Hermit.

A more informed opinion from Mike Masnick at TechDirt gets to the same core issue. “Why do we need SOPA/PIPA again? It seems like the DOJ/ICE just undermined the key argument of the MPAA/RIAA/US CoC for why they need these laws. After all, Megaupload was one of the key examples used for why the law was needed.” He also honed in on the fact that the arrest will only heighten the already tense debate around copyright and piracy. “Wow is the timing dumb on the government’s part. Not only does it undermine the argument for PIPA/SOPA, but it raises significant questions about whether or not the feds already have too much censorship power.”

The FBI accused a man of stealing code from the Federal Reserve Bank of New York Wednesday. The code is responsible for keeping track of the US government’s finances.

According to a statement by the FBI, a contractor by the name of Bo Zhang admitted to copying code from the Federal Reserve Bank of New York (FRBNY) to an external hard drive for later access. Zhang, who was taken into custody Wednesday, explained in a complaint released by the Fed, that he wanted the code for his personal business teaching computer programming. The code itself, known as the Government-Wide Accounting and Reporting Program (GWA) is owned by the Department of the Treasury and is used to track government spending. Like a bank, the program regularly sends out account statements to various agencies of the US government tallying their balances.

“As today’s case demonstrates, our cyber infrastructure is vulnerable not only to cybercriminals and hackers, but also alleged thieves like Bo Zhang who used his position as a contract employee to steal government intellectual property,” said Manhattan U.S. Attorney Preet Bharara in a statement.

Often we think of a cyber criminal hunched over blue computer light in some dark, remote basement typing their way into our systems. What we happily ignore are thoughts of rogue employees, who already have the hard work done for them: getting access.

The GWA was stored with the Federal Reserve Bank of New York for further development. Zhang was one of the contractors working on the program.

According to the statement, the US government has spent $9.5 million developing the code thus far. If found guilty of the offense, Zhang faces up to 10 years in prison, three years of supervised release, and $250,000. He has not been charged yet.

Hat tip Reuters, Image by epicharmus/Flickr

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Carrier IQ has responded to speculation that it’s turning over your mobile data to law enforcement with an interesting rebuttal.

In an email to VentureBeat, a company spokesperson wrote, “Just to clarify all of the media frenzy around the FBI, Carrier IQ has never provided any data to the FBI.”

Carrier IQ is a company that monitors mobile data on more than 100 million phones around the world. It sends reports related to app performance, signal strength and battery life back to carriers and manufacturers.

However, some are now alleging the company also is capable of logging every keystroke on your phone and collecting much more personal data, such as text messages and locations.

Yesterday, VentureBeat (and a number of other technology blogs) reported on a statement from the FBI. During a routine journalistic inquiry, a reporter asked the FBI whether it had gathered data from Carrier IQ.

In response, the FBI replied that while it couldn’t reveal anything about information it obtained from Carrier IQ, that information was “located in an investigative file which is exempt from disclosure” and that “the records responsive to your request are law enforcement records” involved in a pending proceeding.

Most of us took that to mean that Carrier IQ, like just about every other web company, was instituting procedures to take appropriate requests from law enforcement and comply with those requests when required to do so by, say, a warrant. Companies like Microsoft, Facebook and even “do no evil” Google do the same thing, so we weren’t too shocked by the FBI’s statement.

However, our rep at Carrier IQ tells us that because of the way the company works (as an intermediary providing data to other companies, not a company providing a service to end users), it doesn’t actually work directly with the FBI.

“If approached by a law enforcement agency, we would refer them to the network operators, because the diagnostic data collected belongs to them and not Carrier IQ,” said the spokesperson.

“Carrier IQ’s data is not designed to address the special needs of law enforcement,” the source continued. In previous emails, this source had stated that what gets sent to the companies it works with is comprised only of short codes showing that a user took a specific action, not context-rich data like keystrokes and text message bodies.

“The diagnostic data that we capture is mostly historical and won’t reveal where somebody is and what they are doing on a real-time basis,” the rep concluded.

If all this is true, the FBI’s statement could be taken to mean that the FBI’s statement was about Carrier IQ data collected from wireless carriers, with whom law enforcement agents frequently work.

With Carrier IQ under some scrutiny from officials and regulators around the world, we hope to have more and better information to pass on than he-said, she-said accusations and rebuttals.

In the meantime, Carrier IQ has released a 19-page PDF report on exactly how its technology works.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

The FBI is getting data about you from a wide range of sources: Facebook, Google, Microsoft — and Carrier IQ, too.

UPDATE: Carrier IQ has responded to this report with a statement of their own — one that is quite explicit and actually makes sense.

Carrier IQ monitors activity on cell phones (allegedly down to the keystroke, according to some reports) and serves that data to mobile carriers and manufacturers. These companies say they use those reports to fix apps, improve service and better understand battery life issues.

However, Carrier IQ is also turning over the same data, including information about text messages, mobile web browsing and more, to the government.

Before you get your torches and pitchforks, remember that just about every web company has a “spy guide” — that is, a manual of procedures that dictate when and how law enforcement can get information about users. And by and large, companies comply with those requests.

For example, Google recently issued a whole transparency report about global government requests for user data. In the U.S. alone, Google received a total of 5,950 government and police requests about 11,057 unique accounts during the first half of 2011. The company fully or partially complied with 93 percent of those requests.

Based on facts such as these, whether or not you take umbrage with Carrier IQ’s cooperating with the FBI should depend on your attitude toward government investigation and surveillance, not just your opinion of Carrier IQ, itself.

Carrier IQ’s working with the FBI came to light due to a recent Freedom of Information Act (FOIA) filing from MuckRock.

While the FBI didn’t say exactly what kinds of information it gets from Carrier IQ, it revealed that such information is “located in an investigative file which is exempt from disclosure” and that “the records responsive to your request are law enforcement records” involved in a pending proceeding.

We’ve contacted Carrier IQ to determine if these are run-of-the-mill data requests from law enforcement and will update you if and when we hear back from the company.

In the meantime, if you wish not to be monitored by corporations and the government, we politely remind you to stay off the Internet, stop using all proprietary software and hardware, disconnect your cell phone and land line immediately, and ensure a snug fit on your tin foil helmet.

The attack was focused on domain name systems (DNS), which changes original IP addresses, rerouting a person to an unsecured website before they even know they’ve been whisked away. A group of six people from Estonia decided to use this attack, called a DNSChanger, to redirect people from advertisements they believed were innocuous to websites created by the six. The point? To steal ad revenue from the companies that placed the ads on the site.

Through this scheme, which Trend Micro’s advanced threats researcher Paul Ferguson says began in 2006, the Estonian group was able to affect upwards of 4 million people. They were so successful, the team created a company around the scam named Rove Digital. It was headed by Vladimir Tsastsin (pictured above, left), who took on the role of chief executive officer.

“They won IT company of the year!” said Ferguson in an interview with VentureBeat. “It’s the irony of ironys.”

Intercepting ad revenue became extremely lucrative for Rove Digital, raking in at least $14 for the company, according to Ferguson. In fact, he says “$14 million is a low estimate,” since they simply cannot find the rest of the money.

Tsastsin had run-ins with the law prior to his involvement with Rogue Digital, according to Ferguson. He ran a domain registrar, from which he was convicted of credit card fraud. When Trend Micro employees first noticed the Rogue DNS infrastructure, it took them a while to “connect the dots.” But once they connected them, it led straight to Tsastsin, which set off alarms.

Federal law enforcement got involved in 2007, kicking off a long and tedious investigation the FBI called Operation Ghost Click. A number of international organizations were on board, which required much communication and detailed follow ups before the FBI could take any action against Rogue DNS.

Once it did, it ended a botnet scam that had reached people in more than 100 countries. In the U.S., more than 500,000 people were affected, including government agencies such as NASA. Because of the size of this attack, Trend Micro and the FBI have released a way to check if you’ve been affected. You can find it here, below are instructions for Mac users:

1. Click on the Apple icon at the top left of your screen
2. Select “System Preferences”
3. Select the “Network” icon
4. Once open, select the currently active network connection in the left column, and “DNS” in the right
5. Note the DNS server addresses your computer is approved to use
6. Cross check them in this form, which will tell you if it is a criminal address.

If you your DNS address is bad, Trend Micro will sweep your computer for you. You should also alert the FBI with this form.

Ferguson says beyond criminal activity, it could just be a culture issue. “A lot of [post Soviet Union countries'] ‘it’s just business’ attitude extends to what most of the rest of the world calls criminal activity.”

[Image via Trend Micro]

“We will increasingly put emphasis on addressing cyber threats in all of their variations,” Mueller said today at a Senate Judiciary Committee hearing on extending his term by two years.

Mueller’s words are especially meaningful in the wake of the recent attacks on Google’s email system and major defense supplier Lockheed Martin. Hacker attacks on Sony’s PlayStation network, while not relevant to national security, have also increased public awareness of cybercrime and online threats. Mueller said the FBI will make sure “the personnel in the bureau have the equipment, the capability, the skill, the experience to address those threats.”

The Pentagon recently weighed in on cyber attacks and decided that if such an attack produces “death, damage, destruction or high-level disruption that a traditional military attack would cause,” then the attack could merit retaliation by force.

It’s good to see the Pentagon and FBI talking about cyber security on a more consistent basis and making the issue a higher priority. The last ten years have brought incredible advances in technology, but the U.S. government is considerably behind the curve at preventing potentially crippling cyber attacks.